Aadhaar database access found to be sold on WhatsApp for Rs 500; UIDAI official acknowledges major data breach

Paying Rs 500, the investigating team were able to obtain a 'Login ID and username' which allows access to all particulars listed under any Aadhaar number.

The safety regarding data collection and storage by the UIDAI for issuing Aadhaar cards has been under question since the beginning of its implementation. Less than two months after the UIDAI dismissed reports of biometric data misuse, an investigation has revealed how easy it is for an individual to access Aadhaar details of billions of users.

The investigation conducted by The Tribune finds how readily anonymous individuals are selling Aadhaar card details of any UIDAI registered individual on payment of a nominal sum of money. With a payment of Rs 500 made online, the investigating team were able to obtain a 'Login ID and username' to a portal which allowed all particulars listed under any given Aadhaar number to be accessed. The anonymous 'agents' running the racket were found to be operating on personal chat platforms such as WhatsApp to get in touch with potential buyers.

According to the report, the investigating correspondent was able to gain immediate access to particulars including name, address, photograph, email ID as well as the mobile phone number of any individual listed by the UIDAI.

The findings of the publication dates the start of the racket to have been six months ago. This assumption was based on the findings of anonymous WhatsApp groups formed six months ago comprising of over 3 lakh village-level enterprise (VLE) operators. These operators hired by the Ministry of Electronics and Information Technology (MeitY) under the Common Service Centres Scheme (CSCs) were offered access to UIDAI data since they were entrusted the job of making Aadhaar cards available across rural sectors of the country.

However, CSCs operators were rendered useless in November by the UIDAI, who then entrusted the task of making Aadhaar cards to only banks and post offices to avoid a breach of data. As per the report, about 1 lakh VLEs are now suspected to have gained illegal access to the data, seeing an opportunity to make a quick buck on the side.

The foul play does not seem to have ended with selling access to the portal. Coughing up an additional Rs 300 also saw the anonymous agent sell a copy of the software which allows the Aadhaar card of an individual to be printed after entering the Aadhaar number on the portal.

The perpetrators also allegedly hacked into the website of the Government of Rajasthan, in the process, as the said software provided access through what was spotted as "aadhaar.rajasthan.gov.in".

The investigating team based out of Jalandhar, Punjab contacted the Additional Director-General, UIDAI Regional Centre, Chandigarh, Sanjay Jindal for a response. Jindal expressed immediate concern after the revelations were communicated.

Speaking to The Tribune, Jindal said, "Except the Director-General and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach.”